Use PowerShell to Determine the Differences in Group Membership between Active Directory Users

I recently saw a post on Reddit where someone was trying to create a function that takes an Active Directory user name as input for a manager who has direct reports (subordinates) specified in Active Directory. They wanted to determine if the Active Directory group membership of any of those subordinates is different than the others.

There are two different parts to this scenario. Returning a list of the manager’s direct reports by querying that property from the manager’s user account in Active Directory:

PowerShell

1

2

Get-ADUser-Identitysbuchanan-PropertiesdirectReports|

Select-Object-ExpandPropertydirectReports

I decided to keep that portion separate since it would be easy enough to accomplish that part of the task and hard coding that functionality would limit the re-usability of the group comparison portion of the tool. I wanted the users id’s (input for my tool) to be able to come from a query against Active Directory, a list of user id’s stored in a text file, or a CSV file (maybe an auditor supplies a list of user id’s to compare that he emails to you).

The following PowerShell function compares the Active Directory user groups of one or more users. The function gets a combined list of all groups that the specified users are in. It then determines what are considered to be common groups between the users by determining which of those groups have 50% or more of the specified users in them. Finally, it iterates through each user comparing their group membership to the common group list and returns the user’s group membership where it differentiates from the list.

Compare-MrADGroup

PowerShell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

#Requires -Version 3.0

#Requires -Modules ActiveDirectory

functionCompare-MrADGroup{

<#

.SYNOPSIS

Compares the groups of a the specified Active Directory users.

.DESCRIPTION

Compare-MrADGroup is a function that retrieves a list of all the Active

Directory groups that the specified Active Directory users are a member

of. It determines what groups are common between the users based on

membership of 50% or more of the specified users. It then compares the

specified users group membership to the list of common groups and returns

a list of users whose group membership differentiates from that list. A

minus (-) in the status column means the user is not a member of a common

group and a plus (+) means the user is a member of an additional group.

.PARAMETER UserName

The Active Directory user(s) account object to compare. Can be specified

in the form or SamAccountName, Distinguished Name, or GUID. This parameter

is mandatory.

.PARAMETER IncludeEqual

Switch parameter to include common groups that the specified user is a

member of. An equals (=) sign means the user is a member of a common group.

Now to use PowerShell to query the “Direct reports” of a manager in Active Directory and return those users as input for our group comparison tool:

That task can be performed with this simple PowerShell one-liner:

PowerShell

1

2

3

Get-ADUser-Identitysbuchanan-PropertiesdirectReports|

Select-Object-ExpandPropertydirectReports|

Compare-MrADGroup

As shown in the previous set of results, a minus in the status column means the user is not a member of a common group and a plus means they are a member of an extra group other than the common ones. The “RatioOfUsersInGroup(%)” column returns a percentage value of how many users are in the specified group, for example 50% (3 of the 6 users) are in both the Faculty and Staff groups and only 17% (1 of the users) is in the Test01 group.

My Speaking Engagements

User Groups

Disclaimer

All data and information provided on this site is for informational purposes only. Mike F Robbins (mikefrobbins.com) makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.